GengZAST.AI verified a previously undisclosed ACE path in verl <= 0.7.0. verl is a ByteDance-initiated project: https://github.com/verl-project/verl/ (20.5k GitHub stars as of April 6, 2026).
Prompt-controlled model output flowed through match_answer() and ended up in eval(prediction) inside matrix grading.
This is the part that matters: it is not just unsafe eval(), it is an execution-boundary failure inside a training pipeline.
A poisoned dataset or other controllable training input lives upstream, the model emits the payload, and the reward path executes it.
Full report: https://blog.zast.ai/vulnerability%20research/ai%20security/When-Prompt-Injection-Reaches-Code-Execution/